TP-Link has issued security patches to fix four vulnerabilities affecting its Omada gateway devices. Among them are two critical flaws that could allow attackers to execute arbitrary code remotely.
Overview of Vulnerabilities
The identified vulnerabilities are as follows:
- CVE-2025-6541 (CVSS 8.6): A command injection flaw that allows an authenticated attacker with access to the web management interface to run arbitrary system commands.
- CVE-2025-6542 (CVSS 9.3): A remote command injection vulnerability that can be exploited by unauthenticated attackers to execute arbitrary commands.
- CVE-2025-7850 (CVSS 9.3): A command injection issue that can be abused by an attacker who possesses the administrator password for the web portal.
- CVE-2025-7851 (CVSS 8.7): A privilege management flaw that, under specific conditions, allows an attacker to gain root shell access on the operating system.
According to TP-Link’s advisory published on Tuesday, “Attackers may execute arbitrary commands on the device’s underlying operating system.”
Affected Devices and Versions
The following models and firmware versions are impacted:
- ER8411: Versions earlier than 1.3.3 Build 20251013 Rel.44647
- ER7412-M2: Versions earlier than 1.1.0 Build 20251015 Rel.63594
- ER707-M2: Versions earlier than 1.3.1 Build 20251009 Rel.67687
- ER7206: Versions earlier than 2.2.2 Build 20250724 Rel.11109
- ER605: Versions earlier than 2.3.1 Build 20251015 Rel.78291
- ER706W: Versions earlier than 1.2.1 Build 20250821 Rel.80909
- ER706W-4G: Versions earlier than 1.2.1 Build 20250821 Rel.82492
- ER7212PC: Versions earlier than 2.1.3 Build 20251016 Rel.82571
- G36: Versions earlier than 1.1.4 Build 20251015 Rel.84206
- G611: Versions earlier than 1.2.2 Build 20251017 Rel.45512
- FR365: Versions earlier than 1.1.10 Build 20250626 Rel.81746
- FR205: Versions earlier than 1.0.3 Build 20251016 Rel.61376
- FR307-M2: Versions earlier than 1.2.5 Build 20251015 Rel.76743
Security Recommendations
Although TP-Link has not reported any active exploitation of these vulnerabilities, users are strongly encouraged to update their firmware immediately to secure their devices.
After updating, TP-Link advises users to verify their device configurations to ensure that all settings remain correct, secure, and aligned with their preferences.
The company also included a disclaimer noting that it will not be responsible for any issues that occur if users fail to follow the recommended security actions.
